SecurityEnforcementFilter (Acegi Security System for Spring 1.0.0-RC1 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.acegisecurity.intercept.web
Class SecurityEnforcementFilter

java.lang.Object
  org.acegisecurity.intercept.web.SecurityEnforcementFilter

All Implemented Interfaces:: javax.servlet.Filter, InitializingBean

public class SecurityEnforcementFilter
extends Object
implements javax.servlet.Filter, InitializingBean
extends Object
implements javax.servlet.Filter, InitializingBean

Wraps requests to the FilterSecurityInterceptor.

This filter is necessary because it provides the bridge between incoming requests and the FilterSecurityInterceptor instance.

If an AuthenticationException is detected, the filter will launch the authenticationEntryPoint. This allows common handling of authentication failures originating from any subclass of AbstractSecurityInterceptor.

If an AccessDeniedException is detected, the filter will determine whether or not the user is an anonymous user. If they are an anonymous user, the authenticationEntryPoint will be launched. If they are not an anonymous user, the filter will respond with a HttpServletResponse.SC_FORBIDDEN (403 error). In addition, the AccessDeniedException itself will be placed in the HttpSession attribute keyed against ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY (to allow access to the stack trace etc). Again, this allows common access denied handling irrespective of the originating security interceptor.

To use this filter, it is necessary to specify the following properties:

filterSecurityInterceptor indicates the FilterSecurityInterceptor to delegate HTTP security decisions to.
authenticationEntryPoint indicates the handler that should commence the authentication process if an AuthenticationException is detected. Note that this may also switch the current protocol from http to https for an SSL login.
portResolver is used to determine the "real" port that a request was received on.

Do not use this class directly. Instead configure web.xml to use the FilterToBeanProxy.

Version:: $Id: SecurityEnforcementFilter.java,v 1.22 2005/11/25 04:38:18 benalex Exp $
Author:: Ben Alex, colin sampaleanu

Field Summary
`static String`	`ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY`

Constructor Summary
`SecurityEnforcementFilter()`

Method Summary
`void`	`afterPropertiesSet()`
`void`	`destroy()`
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`AuthenticationEntryPoint`	`getAuthenticationEntryPoint()`
`AuthenticationTrustResolver`	`getAuthenticationTrustResolver()`
`FilterSecurityInterceptor`	`getFilterSecurityInterceptor()`
`PortResolver`	`getPortResolver()`
`void`	`init(javax.servlet.FilterConfig filterConfig)`
`boolean`	`isCreateSessionAllowed()` If `true`, indicates that `SecurityEnforcementFilter` is permitted to store the target URL and exception information in the `HttpSession` (the default).
`protected void`	`sendAccessDeniedError(FilterInvocation fi, AccessDeniedException accessDenied)`
`protected void`	`sendStartAuthentication(FilterInvocation fi, AuthenticationException reason)`
`void`	`setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint)`
`void`	`setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)`
`void`	`setCreateSessionAllowed(boolean createSessionAllowed)`
`void`	`setFilterSecurityInterceptor(FilterSecurityInterceptor filterSecurityInterceptor)`
`void`	`setPortResolver(PortResolver portResolver)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY

public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY

See Also:: Constant Field Values

Constructor Detail